Papers Link
Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts
Introduction
Category
- Problem Pattern: Well studied problems
Motivation
Background
- The research problem is the emerging smart contract systems over decentralized cryptocurrencise lack transactional privacy, as a result all transactions, including flow of money between pseudonyms and amount transacted, are exposed on the blockchain.
- The lack of privacy is a major hindrance towards the broad adoption of decentralized smart contracts, since financial transactions are considered by many individuals and organizations as being highly secret.
- The original Bitcoin offers limited programmability. Ethereum allows for programmability but does not guarantee transactional privacy, while Zerocash guarantees transactional privacy but at the price of even reduced programmability than Bitcoin.
Literature Review
Leveraging blockchain for financial fairness. A few prior works have explored how to leverage the blockchain technology to achieve fairness in protocol design. For example, Bentov et al., Andrychowicz et al., Kumaresan et al. [40], Kiayias et al. [36], as well as Zyskind et al. [59], show how Bitcoin can be used to ensure fairness in secure multi-party computation protocols. These protocols also perform off-chain secure computation of various types, but do not guarantee transactional privacy (i.e., hiding the currency flows and amounts transacted). For example, it is not clear how to implement our sealed auction example using these earlier techniques. Second, these earlier works either do not offer system implementations or provide implementations only for specific applications (e.g., lottery). In comparison, Hawk provides a generic platform such that nonspecialist programmers can easily develop privacy-preserving smart contracts.
Smart contracts. The conceptual idea of programmable electronic “smart contracts” dates back nearly twenty years [53]. Besides recent decentralized cryptocurrencies, which guarantee authenticity but not privacy, other smart contract implementations rely on trusted servers for security [46]. Our work therefore comes closest to realizing the original vision of parties interacting with a trustworthy “virtual computer” that executes programs involving money and data.
Programming frameworks for cryptography. Several works have developed programming frameworks that take in highlevel programs as specifications and generate cryptographic implementations, including compilers for secure multi-party computation [19], [39], [41], [51], authenticated data structures [44], and (zero-knowledge) proofs [12], [30], [31], [49]. Zheng et al. show how to generate secure distributed protocols such as sealed auctions, battleship games, and banking applications [58]. These works support various notions of security, but none of them interact directly with money or leverage public blockchains for ensuring financial fairness. Thus our work is among the first to combine the “correct-by-construction” cryptography approach with smart contracts.
In concurrent and independent work, Kiayias et al. propose a blockchain model in the (Generalized) Universal Composability framework and use it to derive results that are similar to what we describe in Appendix G-A, i.e., fair MPC with public deposits.
Research Niche
Despite the expressiveness and power of the blockchain and smart contracts, the present form of these technologies lacks transactional privacy. The entire sequence of actions taken in a smart contract are propagated across the network and/or recorded on the blockchain, and therefore are publicly visible. Even though parties can create new pseudonymous public keys to increase their anonymity, the values of all transactions and balances for each (pseudonymous) public key are publicly visible. Further, recent works have also demonstrated deanonymization attacks by analyzing the transactional graph structures of cryptocurrencies.
lack of privacy is a major hindrance towards the broad adoption of decentralized smart contracts, since financial transactions (e.g., insurance contracts or stock trading) are considered by many individuals and organizations as being highly secret. Although there has been progress in designing privacy-preserving cryptocurrencies such as Zerocash, this system forgo programmability, and it is unclear a priori how to enable programmability without exposing transactions and data in cleartext to miners.
Work
Research Objectives
Hawk proposed by this paper is the first to simultaneously offer transactional privacy and programmability in a decentralized cryptocurrency system.
Hawk is a framework for building privacy-preserving smart contracts. And with Hawk, a non-specialist programmer can easily write a Hawk program without having to implement any cryptography.
Research Summary
To use Hawk which is the blockchain model of cryptography and privacy-preserving smart contracts.
Evaluation
Evaluation Summary
We built a Hawk prototype and evaluated its performance by implementing several example applications, including a sealed-bid auction, a “rock, paper, scissors” game, a crowdfunding application, and a swap financial instrument. We propose interesting protocol optimizations that gained us a factor of 10× in performance relative to a straightforward implementation. We show that for at about 100 parties (e.g., auction and crowdfunding), the manager’s cryptographic computation (the most expensive part of the protocol) is under 2.85min using 4 cores, translating to under $0.14 of EC2 time. Further, all on-chain computation (performed by all miners) is very cheap, and under 20ms for all cases.
Implications
We propose interesting protocol optimizations that gained us a factor of 10 in performance relative to a straightforward implementation. We show that for at about 100 parties (e.g., auction and crowdfunding), the manager’s cryptographic computation (the most expensive part of the protocol) is under 2.85min using 4 cores, translating to under $0.14 of EC2 time. Further, all on-chain computation (performed by all miners) is very cheap, and under 20ms for all cases.
Novelty
Contributions
Hawk is the first to simultaneously offer transactional privacy and programmability in a decentralized cryptocurrency system.
Formal models for decentralized smart contracts. We are among the first ones to initiate a formal, academic treatment of the blockchain model of cryptography. We present a formal, Universal Composability (UC) model for the blockchain model of cryptography – this formal model is of independent interest, and can be useful in general for defining and modeling the security of protocols in the blockchain model. Our formal model has also been adopted by the Gyges work in designing criminal smart contracts.
In defining for formal blockchain model, we rely on a notion called wrappers to modularize our protocol design and to simplify presentation. Wrappers handle a set of common details such as timers, pseudonyms, global ledgers in a centralized place such that they need not be repeated in every protocol.
New cryptography suite. We implement a new cryptography suite that binds private transactions with programmable logic. Our protocol suite contains three essential primitives freeze, compute, and finalize. The freeze primitive allows parties to commit to not only normal data, but also coins. Committed coins are frozen in the contract, and the payout distribution will later be determined by the program Øpriv. During compute, parties open their committed data and currency to the manager, such that the manager can compute the function Øpriv. Based on the outcome of Øpriv, the manager now constructs new private coins to be paid to each recipient. The manager then submits to the blockchain both the new private coins as well as zeroknowledge proofs of their well-formedness. At this moment, the previously frozen coins are now redistributed among the users. Our protocol suite strictly generalizes Zerocash since Zerocash implements only private money transfers between users without programmability.
We define the security of our primitives using ideal functionalities, and formally prove security of our constructions under a simulation-based paradigm.
Implementation and evaluation. We built a Hawk prototype and evaluated its performance by implementing several example applications, including a sealed-bid auction, a “rock, paper, scissors” game, a crowdfunding application, and a swap financial instrument. We propose interesting protocol optimizations that gained us a factor of 10× in performance relative to a straightforward implementation. We show that for at about 100 parties (e.g., auction and crowdfunding), the manager’s cryptographic computation (the most expensive part of the protocol) is under 2.85min using 4 cores, translating to under $0.14 of EC2 time. Further, all on-chain computation (performed by all miners) is very cheap, and under 20ms for all cases. We will open source our Hawk framework in the near future.
Key Concepts
区块链
区块链是一种去中心化的分布式账本系统,它可以用于登记和发行数字化资产、产权凭证、积分等,并以点对点的方式进行转账、支付和交易。区块链系统与传统的中心化账本系统相比,具有完全公开、不可篡改、防止多重支付等优点,并且不依赖于任何的可信第三方
共识机制
由于点对点网络下存在较高的网络延迟,各个节点所观察到的事务先后顺序不可能完全一致。因此区块链系统需要设计一种机制对在差不多时间内发生的事务的先后顺序进行共识。这种对一个时间窗口内的事务的先后顺序达成共识的算法被称为”共识机制”。
暗标拍卖
封闭式拍卖,俗称“暗标”,是指拍卖之前起拍价和保留价严格保密。竞买人不仅事先无法知道起拍价,也无法在拍卖之前计算出相应的利益。不光竞买人,就连拍卖人对起拍价和保留价也完全不知情,因为很多封闭式竞价拍卖的起拍价和保留价是装在一个密封的信封内,由委托方当场送上去的。
以太坊
以太坊是一个平台和一种编程语言,使开发人员能够建立和发布下一代分布式应用。 以太坊可以用来编程,分散,担保和交易任何事物:投票,域名,金融交易所,众筹,公司管理, 合同和大部分的协议,知识产权,还有得益于硬件集成的智能资产。
零知识证明
“零知识证明”-zero-knowledge proof,是由S.Goldwasser、S.Micali及C.Rackoff在20世纪80年代初提出的。它指的是证明者能够在不向验证者提供任何有用的信息的情况下,使验证者相信某个论断是正确的。零知识证明实质上是一种涉及两方或更多方的协议,即两方或更多方完成一项任务所需采取的一系列步骤。证明者向验证者证明并使其相信自己知道或拥有某一消息,但证明过程不能向验证者泄漏任何关于被证明消息的信息。大量事实证明,零知识证明在密码学中非常有用。如果能够将零知识证明用于验证,将可以有效解决许多问题
其他术语
Universal Composability(UC) Model
论文中提出的一种模型: We present a formal, Universal Composability (UC) model for the blockchain model of cryptography – this formal model is of independent interest, and can be useful in general for defining and modeling the security of protocols in the blockchain model
Wrapper
论文中还有一个叫Wrapper的东西,用来对论文的加密协议进行模块化设计以及简化文字表述。具体来说就是: Wrappers handle a set of common details such as timers, pseudonyms, global ledgers in a centralized place such that they need not be repeated in every protocol.
New Cryptography suite
论文实现了一套新的加密组件,可以将私人交易用编程逻辑来绑定。这个组件由三个基本原语组成:Freeze,compute, and finalize. 该加密组件主要是在Zerocash之上实现的。
Freeze
Freeze原语允许用户提交他们的正常数据和coins。提交的coins会被合约给冻结,然后付款的分配会稍后由私有程序决定。
Compute
在计算过程中(off-chain),合同当事方会公开他们提交的数据和货币给代理人(Manager),由代理人来执行Hawk程序的私有部分Øpriv。根据私有部分程序Øpriv的执行结果,代理人会构造新的隐私币(private coins)付给每一个收款方(recipient)。代理人最后将新构造的隐私币以及零知识证明提交给区块链。在这个过程中,之前被合约冻结的coin会重新分配给各个合同当事方
Finalize
当代理人(Manager)提交了私有部分Øpriv的执行结果和一个正确执行的零知识证明给区块链hawk时,区块链hawk会验证证明并且将冻结的钱返还给每个对应的用户。在这里,区块链hawk同样会发送代理人(Manager)的公开输入和公开输出结果给公共Hawk合约Øpub。公共Hawk合约Øpub会触发check函数去验证代理人(Manager)的输入,并且重新分配公开的抵押金。